There’s a new cryptolocker in town and his name is Locky. This little creature sneaks up on you by hiding in a seemingly harmless Word document. If you open it and have macro’s enabled you can probably say your dearest files byebye.
The Locky cryptolocker arrives in an e-mail which has a subject similar to “ATTN: Invoice J-85366971” and a message referring to the invoice. The word document has a name similar to invoice_J-65988314.doc. The cunning little beast then shows you a scrambled text and the message to enable macros if you want to make it readable.
Once the user enables macros all hell breaks loose and Locky will start encrypting your precious data. Of course it will steer clear of any files that belong to the Windows operating system to avoid breaking the OS and of course to fully concentrate on your juicy files (instead of wasting time on the Windows junk nobody really cares about).
So there you are, everything is neatly encrypted. You can’t even figure out which file is which because Locky will make sure every file that is encrypted gets a nice little randomized filename and a “.locky” extension.
To make things worse, the crypto will also attack files on network shares, even if they are not mapped to a local drive.
As is becoming more usual, the malware will also make sure all Volume Shadow Copies are neatly removed from your system. This prevents you from simply reverting to a previous version to get your files back.
Locky will be kind enough to leave a little note in every directory it has visited, and on your desktop background. You will find a lovely ransom note containing instructions on how to pay the hacker to decrypt your files.
Finally Locky will also settle down in the registry, creating 4 keys
· HKCU\Software\Locky\id — your unique ID
· HKCU\Software\Locky\pubkey — public key
· HKCU\Software\Locky\paytext — the text in the ransomnotes
· HKCU\Software\Locky\completed 1 — 1 if the encryption process was completed
· HKCU\Control Panel\Desktop\Wallpaper “%UserProfile%\Desktop\_Locky_recover_instructions.bmp”
If you happen to encounter this particular piece of malware, you’re probably wondering if there is anything you can do to stop it or recover your files.
Step 1 is of course to disconnect the infected pc from your network. This will prevent it from encrypting network shares (that is if it hasn’t done so already) or possible spreading to other computers.
Step 2 is to remove the malware from your system to prevent it from reactivating if you’ve recovered your files. Also check other machines in the network to make sure it hasn’t spread.
Step 3 is to check your back-ups. Back-ups can save you a lot of trouble. If you do not have any back-ups or if they got encrypted with all the other data you should continue to step 4.
Step 4 is to attempt data recovery by carving unallocated space. When a file gets deleted it does not immediately get wiped from the disk. It lingers until the space is used by another file. This means that if the crypto encrypts the files and then deleted the originals, you might find the originals in unallocated space. The same goes for the volume shadow copies. If you’re lucky you could find a volume shadow copy in there, which could bring back your files if properly restored. If you’re trying this approach I would advise you to do this as fast as possible since the chance of data being overwritten increase the more your computer is used.
If the previous step has failed there is probably not much else you can do. You can pay the hackers to get your data back. Most of all you should learn from this experience:
Improve your security, create a great back-up policy and make sure this never happens again by not clicking on every single “Invoice” file that comes your way.
Learn more about Cyberforce’s services at http://www.cyberforce.be
Lien Van Herpe , GCFA
Forensic Analyst at Cyberforce